Introduction

Handling privacy badly can do a corporation damage. This page provides a
few selected vignettes, showing instances of negative impacts on corporations
resulting from bad behaviour.

This document is not in any way a census of all of the large number of
privacy disasters that have been pepetrated by corporations. It's just a
sample, and it's only updated occasionally. Feel free to
send
me information and URLs relating to other significant cock-ups.

Lotus
Marketplace: Households - 1990-91

In April 1990, the then very successful Lotus Corp., in a joint venture with
Equifax, developed a product called Lotus MarketPlace: Households - a CD-ROM
containing a vast array of consumer data. Consumer protest killed it in
January 1991
(Culnan
1991, Culnan & Smith 1995, Gurak 1997).

Intel's
Processor Serial Number - 1999-2000

In 1999, Intel announced that it would include a unique Processor Serial
Number (PSN) in its new generation of chips. The PSN's purposes included to
identify eCommerce customers.

The company released some batches of chips into the field, but resistance grew
even stronger, and much broader, even including the Chinese Government
(Guangming
1999). In April 2000, the company announced that it was dropping the
feature
(McCullagh
2000).

Doubleclick
- 1999-2000

Doubleclick's stock price suffered badly following revelations about its
privacy-invasive practices. It was forced to abandon its plans to consolidate
personal data with the clickstream data it collected online, surreptitiously
and without consent (Fields & Cohen 2003).

Eli
Lilly - 2001-02

Pharmaceutical company Eli Lilly manufactures the anti-depressant medication
Prozac. On 27 July 2001, an auto-generated e-mail message included all of the
recipients' e-mail addresses within the To: line of the message, thereby
disclosing to each individual subscriber the e-mail addresses of all 669
Medi-messenger subscribers.

The blunder attracted media attention out of all apparent proportion to its
small scale, because of the extreme sensitivity of the information disclosed.
An ACLU complaint forced the FTC to find against the company
(FTC
2002a).

Microsoft
- 2002

As Microsoft sought to hold off gathering storms surrounding the insecurity
of Windows and Office, EPIC and others forced the FTC's hand in relation to
another set of the company's products.

The company was found by the FTC to have falsely represented that it employed
adequate security measures in relation to its Passport and Passport Wallet
services
(FTC
2002b).

Benetton
- 2003

On 12 March 2003, Benetton and Philips Electronics jointly announced that
RFID chips were to be installed in its Sisley clothing line. RFID tags enable
tracking not only along the supply chain (which all parties are enthusiastic
about), but also in and beyond the retail outlet.
(RFID
2003. Both Benetton and Philips appear to have later withdrawn the Media
Release from their sites).

"By February 2005, ChoicePoint's name was splattered across the press in the
first of many -- and more serious -- breaches to be revealed under newly
adopted state disclosure laws. ...

"The market cap of ChoicePoint ... dropped 22% in the ensuing three months ...
Until then, ChoicePoint had been growing its business at a healthy rate of more
than 10% a year, but suddenly it became a household term associated with
identity theft." ... (all above quotes from Gartner 2006).

A review of the debacle, written for corporate executives such as Chief
Information Security Officers, is in
Scalet
(2005). The company was allowed to settle its liabilities at federal level
with $US 15 million in penalties
(FTC
2006). A later settlement with the States added a further $0.5 million to
the penalties - although the legal costs would have been higher than that of
course, and the negative publicity much more significant.

The impact was not felt only by the company concerned: "The U.S. Congress
convened hearings on the data brokerage and credit industry's practices in
managing sensitive customer data." (Gartner 2006)

Google
- 2004-

Since 2004, Google has come under increasing fire from privacy activists.
The first major salvo related to its Gmail service
(PRC
2004). The inherently privacy-intrusive nature of many of Google's
services have been exacerbated by the company's cavalier attitudes, by the
freedoms it grants itself through its privacy policy statements, and by its
evident intention to cross-link the data from its many businesses by means of
its imposition of a single identifier on each user
(Clarke
2006).

To date Google has successfully exploited its status as a successful investment
and its 'do no evil' mantra as shields against sceptical questioning from
journalists. The honeymoon won't last forever.

Sony
BMG - 2005-07

In 2005, Sony BMG was discovered to have published millions of CDs that
installed a rootkit. (A rootkit is malware that circumvents normal
protections in order to enable user-hostile functions to be performed without
detection).

When it was caught out, the company issued misleading statements. It then
released patches to uninstall the rootkit, but in doing so it exposed users to
an even more serious vulnerability. The company eventually recalled the CDs
(Schneier
2005). See also
Groklaw
2005-11.

Lengthy criminal investigations were undertaken, the majority of US States
litigated, and class-action lawsuits were also brought against the company in
both the USA and Canada. The saga cost the company many millions, but also a
lot of executive time and a great deal of consumer goodwill.

Hewlett-Packard
- 2006

In 2006, senior executives of Hewlett-Packard were deeply implicated in
"questionable, and perhaps illegal, subterfuge to obtain phone records of [its
own] directors and journalists". It resulted in a U.S. House of Representative
Committee writing a letter to the company expressing serious concern about the
company using pretexting and data brokers, and initiating Hearings
(HoR
2006).

This led to the early departure of the CEO, and forced the company to issue "a
statement full of apologies and attempts to restore good relations"
(Darlin
2006).

The affair added further fuel to the blaze of publicity about the lack of
credibility of the Boards and senior executives of major American corporations.
And the inability of the courts to enforce criminal charges undermined the
credibility of the law. But HP still paid the state of California $14.5
million in penalties.

Unsolicited
Telephone Calls - 2003-

Faced with an ongoing consumer revolt over unsolicited telephone calls, the
US Congress finally passed the
Do-Not-Call
Implementation Act in March 2003. By the end of the first month of
peration in October 2003, over 50 million numbers had been signed up with the
US
National Do-Not-Call Register, in the expectation that this would prevent
marketing calls. That count more than doubled by the end of 2005. Surveys
suggest about 75% of the US private subscriber-based has registered.

Some segments of business have made strenuous attempts to have the legislation
overturned (but it was found by the courts to be constitutional), and to create
loopholes in the Act (so far without success).

As early as November 2003, the FCC proposed to fine AT&T
$780,000 for calls to 29 consumers on 78 separate occasions after those
consumers had requested that AT&T not call them again
(FCC
2003). Miscreants during 2004-05 included American
Express, and Dynasty Mortgage which committed 70
violations @ $11,000 each
(FCC
2007).

During 2006, DirecTV, a major supplier of satellite TVwas
fined $100,000, a commercial book club, a Doubleday affiliate,
forfeited $680,000, and Credit Foundation of America paid
nearly $1 million for making deceptive prerecorded calls
(Smith
2007).

Regulatory action is hotting up in spam and spyware as well, with the FTC
forcing companies that install spyware on unsuspecting users' computers to
forfeit more than $6.5 million
(Smith
2007).

Inadequate
Information Security - 2007

The UK Financial Services Authority (FSA) fined Nationwide Building
Society [[sterling]]980,000 for failing to have effective systems and
controls to manage its information security risks. The failings came to light
following the theft of a laptop from a Nationwide employee's home last year"
(FSA
2007).

Information
Security Breach Notification Laws - 2003-

In the early 2000s, there was a long succession of media stories about leaks
of personal data from company databases, primarily in the USA. For one
example, see
ChoicePoint
above. Many involved credit-card details and other data useful for identity
fraud. The US Government added fuel to that particular fire by referring to
the risks as being to 'identity theft' (whose consequences are severe, but
which is uncommon) rather than 'identity fraud' (which has been commonplace for
years, long before the Internet, and indeed long before the intrinsically
insecure credit-card facility was invented).

There is evidence that these breaches impact share prices, although usually
less spectacularly than occurred with ChoicePoint (Campbell et al. 2003,
Telang
& Wattal 2005,
Acquisti
et al. 2006). Despite that evidence, however, many corporations and
industry associations fail to take appropriate actions to improve the security
of personal data.

The Californian legislature responded in 2003, by passing a Security Breach
Notification Law (originally SB 1386, which can be found in California Civil
Code Sections 1798.29 and 1798.82). This requires that California consumers be
notified when sensitive personal data about them is illegitimately obtained
from a server or database
(Givens
2003).

"To September 2006, ..., 34 states have passed information breach notification
laws similar to California's" (Gartner 2006). The ripple effect has not been
restricted to the USA, with the Australian Privacy Commissioner announcing that
she was recommending that such a law be passed in Australia
(Miller
2006).

FaceBook
- 2004-2012

A form of web-site emerged around 2003-04 referred to generically as 'social
networking services' (SNS). From the very beginning, SNS have been blatantly
exploitative of personal data.
My
initial criticisms at the beginning of 2004 focussed on an early leader in
the emergent marketplace, Plaxo.

During the next few years, market dominance in many countries was achieved
instead by Facebook. This had been launched by Mark Zuckerberg in early 2004,
within Harvard University, but was widely available by mid-2004. It enjoyed
explosive growth during the following years, with traffic volumes catching up
with Google's by the end of 2009. Its advertising revenue grew progressively,
and it was also reported as achieving profitability from about the end of
2009.

The service has always exposed some of each user's profile-data, but the nature
and extent of the exposure has kept growing. In late 2006, Facebook imposed
new features on users without prior notice, let alone consent. One example
that gave rise to substantial negative feedback from users was the
auto-publication of changes to users' profiles to all of their friends. Many
users were unhappy about Facebook's right to disclose users' data to other
companies ("We may share your information with third parties, including
responsible companies with which we have a relationship"). Reports suggested
that user-pressure resulted in the clause being removed from the company's
privacy policy in the revision of November 2008.

Many other concerns have existed throughout Facebook's life, such as
non-conservative default settings, inadequate granularity in the privacy
settings, complex and unhelpful user interfaces for managing privacy settings,
and unannounced, arbitrary changes variously to privacy settings, the user
interfaces whereby they can be managed, and the effects of the settings that
users have already chosen. Also of concern has been the lack of clarity about
whether and how data can actually be deleted.

In September 2007, Facebook began allowing non-members to search for users,
with the intent of opening limited 'public profiles' up to search engines such
as Google. This was also implemented non-consensually. And in late 2007, a
feature called Beacon was added, enabling third-party websites (particularly
commercial sites) to gather data about users and pass it to Facebook, for
automatic publication. The company's responses to criticisms and requests for
change, rather than dissipating concerns, added to them. In due course,
Facebook was forced by a class-action lawsuit to abandon the beacon program in
November 2009 and pay a $US 9.5 million settlement
(Guynn
2010).

In mid-2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC)
lodged a
35-page
complaint with the Canadian Privacy Commissioner. The Commissioner's
Report supported some of the heads of complaint
(PCC
2009). Facebook agreed to comply with some, but not all, of the
Commissioner's recommendations. However, an analysis of the changes that
Facebook actually made suggested that the company had subverted the intention
(Bankston
2009).

In late 2009, privacy controls for the News Feed and Mini Feed were removed,
making it impossible for users to exercise control over the activities
published on their walls and flushed out to the public news feed. Then, in
December 2009, Facebook unilaterally declared particular information, including
'lists of friends', to be "publicly available", with no privacy setting. Apart
from breaching prior undertakings to users, this created physical danger for
those who lived in countries subject to repressive regimes. This gave rise to
a wave of criticism
(Jones
2009), including from EFF, ACLU and
EPIC,
and closure and suspension of Facebook pages by a variety of commentators. It
also resulted in a
further
investigation by the Canadian Privacy Commissioner. Again, Zuckerberg
sought to brazen his way through it. One of his reported epithets was "the
default is social".

During 2010, things have not gone well for the reputations of Facebook and its
founder. In January 2010,
Kirkpatrick
(2010) attributed to Zuckerberg the statement that "if [I] were to create
Facebook again today, user information would by default be public". Then in
March,
Carlson
(2010a) made serious accusations about unethical behaviour by Zuckerberg
during the foundation phase of the service in early 2004.

In late April,
Opsahl
(2010) documented the successive changes in Facebook's privacy policies,
and summarised the story this way: "Since its incorporation ..., Facebook has
undergone a remarkable transformation. When it started, it was a private space
for communication with a group of your choice. Soon, it transformed into a
platform where much of your information is public by default. Today, it has
become a platform where you have no choice but to make certain information
public, and this public information may be shared by Facebook with its partner
websites and used to target ads". The same day, a report was published that
attributed to a Facebook employee the statement "[Zuck] doesn't believe in
[privacy]"
(Van
Buskirk 2010).

In May, a Wired headline declared 'Facebook's Gone Rogue'
(Singel
2010). Then it was widely reported that Zuckerberg had explained to a
friend in 2004 that people submitted personal data to him because "They 'trust
me'. Dumb f..ks"
(Carlson
2010c,
News.com
2010).

Then an article demonstrated just how long it took, and how much understanding
it demanded, to 'put Facebook on a privacy lockdown'
(Carlson
2010b), and the New York Times represented Facebook's privacy settings as
'A Bewildering Tangle of Options', involving 50 settings with more than 170
options
(NYT
2010). An animation of the evolution of profile settings from 2005 to 2010
were displayed at
http://mattmckeon.com/facebook-privacy/,
and tools for checking privacy settings were on offer at
http://www.reclaimprivacy.org/.

The long succession of privacy-breaching actions by the company has culminated
in widespread cynicism about both the company and its founder. In the space of
a few days in mid-May, a considerable amount of 'bad press' was delivered by a
wide range of opinion-leaders, including accusations of classic
'bait-and-switch' manoeuvring
(Grossman
2010). Modest numbers of people abandoned the service, and tried to delete
their data from the site. The EU's privacy committee issued a rebuke, saying
that "It is unacceptable that the company fundamentally changed the default
settings on its social-networking platform to the detriment of a user"
(Out-Law.com,
2010). And a formal complaint was submitted to the US regulator,
requesting the FTC to "determine whether the company has in fact engaged in
unfair and/or deceptive trade practices, require Facebook to restore privacy
settings that were previously available ..., [and] require Facebook to give
users meaningful control over personal information"
(EPIC
2010).

At
the beginning of 2011, Facebook resumed its relentless drive to exploit its
users' personal data. It amended a dialogue box to invite users to approve
their home addresses and phone number being accessible by third-party developers
(Moyer
2011). This was seen by commentators as part of an attempt by Facebook to
succeed where other initiatives had failed (such as Microsoft Passport) and
become the dominant identity management hub (e.g.
Vaughan-Nichols
2011). Strong negative reactions forced the company to backtrack within a
few days
(Gustin
2011). A
BBC
report took the opportunity to include a short review of Facebook's
troubled privacy history.

From its beginnings and onward throughout its life, Facebook and its founder
have demonstrated privacy-insensitivity and downright privacy-hostility. This
has reflected both the founder's dismissive attitude to the privacy interests
of other people and the dependence of the company's business model on targeted
advertising. The company's behaviour has been gradually undermining its strong
position in the market, and may well be responsible, in the relatively short
term, for large-scale destruction of shareholder-value.

A
series of high-handed actions, compounded by a number of what may well have
been outright blunders, dogged Facebook through 2011 and into 2012. By April
2012, even a social media spruiker
(O'Connor
2012) was warning about the potential for distrust through privacy breach
to undermine the Facebook brand:

"[social networkin services make] profit primarily by using heretofore private
information it has collected about you to target advertising. And Zuckerberg
has repeatedly made sudden, sometimes ill conceived and often poorly
communicated policy changes that resulted in once-private personal information
becoming instantly and publicly accessible. As a result, once-latent concerns
over privacy, power and profit have bubbled up and led both domestic and
international regulatory agencies to scrutinize the company more closely.

...

"The high-handed manner in which members' personal information has been
treated, the lack of consultation or even communication with them beforehand,
Facebook's growing domination of the entire social networking sphere,
Zuckerberg's constant and very public declarations of the death of privacy and
his seeming imposition of new social norms all feed growing fears that he and
Facebook itself simply can not be trusted."

Google
Buzz and WiFi - 2009-12

Despite the gathering clouds outlined
earlier,
Google led a charmed life through to 2009. Users were highly enthused by the
features of each new (near-permanent beta) service and each additional feature
that the company released. They were too busy to think critically about what
the deal was that they were getting themselves into. The media, including most
of the 'technical' media, reprinted Google media releases, and gushed about the
smart people that the company employed, the clever way it had got control of
the Web advertising market, and how much money it was making. Hagiography
abounded, and critical analysis was seldom undertaken and little-reported.

Then, between December 2009 and May 2010, the company made a series of blunders
that cost it its undeserved halo.

The first mistake was on 9 December 2009, when CEO Eric Schmidt said, during
what should have been
just
another advertorial interview, "If you have something that you
don't want [Google] to know, maybe you shouldn't be doing it in the first
place". The statement was widely covered in the media, with many
commentators deploring his sentiment. Here is an
EFF
article. See also this piece on
'Google,
Privacy, and You': "There has never before been a time in human history
when one single, private entity has collected this much information on a
measurable percentage of the world's population". The warnings that had been
given by privacy advocates 5-6 years earlier were beginning to reach the
mainstream.

The second mistake was the release of Buzz on about 10
February 2010. Buzz was intended to leverage Gmail into the Social Networking
space. As explained in
my
own first take on the product, "Personal data about gmail subscribers has
been re-purposed. Specifically, each gmail subscriber's associations with
'other people' are being disclosed to other 'other people'. This has been done
without formal notice to them, and without their consent ... The actions taken
are quite possibly illegal use and disclosure of personal data without
consent". Further, "location-display may be opt-out, not consent-based. And of
course the personal data in this case is potentially highly-sensitive, from a
safety perspective". Yet worse, it appeared that people who were not Gmail
subscribers could be caught up in the web of unauthorised disclosures, simply
by being a regular correspondent with one or more people who were Gmail
subscribers.

Commentators were extremely negative about the appropriation of personal data
held by Google to new purposes, and about the failure to put
privacy-conservative defaults in place (e.g.
NYT
12 Feb 2010). The wave of media coverage was the most negative response
that any release by Google had ever encountered. The spin that the company's
media relations quickly launched suggested that the company had backed off very
quickly (e.g.
NYT
14 Feb 2010), and some actual improvements appear to have been made (e.g.
Bhat
2010).

The blunder had broader implications. On 19 April 2010, 10 Privacy
Commissioners wrote
a
joint letter to Google, saying "your recent rollout of the Google Buzz
social networking application ... betrayed a disappointing disregard for
fundamental privacy norms and laws. Moreover, this was not the first time you
have failed to take adequate account of privacy considerations when launching
new services. ... In essence, you took Google Mail (Gmail), a private,
one-to-one web-based e-mail service, and converted it into a social networking
service ... Unfortunately, Google Buzz is not an isolated case. ... We
therefore call on you ... to incorporate fundamental privacy principles
directly into the design of new online services".

Privacy advocates remained very negative about Buzz, but, much more
significantly than that, it was suddenly okay for normal people to think
critically about Google's offerings. The company's careful nurturing of trust
(or, as a cynic would have put it, the triumph of the company's
image-management over the substance of the matter) had been seriously
compromised, and was in no fit state to withstand the damage that could be
caused by another mistake on the same scale.

The third mistake came to light on 22 April 2010, when
The
Register reported that "[Google's] Street View service is under fire [from
the German Data Protection Commissioner, Peter Schaar] for scanning
private WLAN networks, and recording users' unique [device] addresses, as the
car trundles along".

Google's European privacy advisor, Peter Fleischer, tried to hose down the
furore with
a
posting on 27 April 2010. Rather than putting the matter to rest, the text
raised further doubt in many people's minds. Further investigations ensued,
not least by the Data Protection Commissioner of one of the German Länder
(states), Hamburg.

Google then went into damage limitation mode. Its most senior engineer
published a
post
on 14 May 2010, mirrored
here,
which said that "[Hamburg Commissioner Caspar's] request prompted us to
re-examine everything we have been collecting, and during our review we
discovered that a statement made in [the Fleischer post] on April 27 was
incorrect ... It's now clear that we have been mistakenly collecting
samples of payload data [i.e. message content] from open (i.e.
non-password-protected) WiFi networks". Further, "we [have] grounded our
Street View cars and segregated the data on our network, which we then
disconnected to make it inaccessible. We want to delete this data as soon as
possible, and are currently reaching out to regulators in the relevant
countries about how to quickly dispose of it. ... In addition, given the
concerns raised, we have decided that it's best to stop our Street View cars
collecting WiFi network data entirely".

The backflip and mea culpa were widely reported, e.g. "European
privacy regulators and advocates reacted angrily Saturday to the disclosure by
Google ... that it had systematically collected private data since 2006 while
compiling its Street View photo archive"
(NYT
15 May 2010).

By this stage, Data Protection Commissioners in multiple jurisdictions across
Europe, and as far afield as New Zealand, were in earnest discussion with their
local Google offices, seeking factual responses to a variety of questions about
Wifi-related data collection, use and retention. Advocacy group Consumer
Watchdog was reported to have written to the US Federal Trade Commission (FTC)
urging it to investigate Google's behaviour.

In many jurisdictions, it's quite likely that the collection of message
payloads was in breach of local data protection law, and quite possible that
the collection of device-identifiers was as well. Actual prosecution appeared
unlikely in most jurisdictions, not least because most data protection laws are
subject to very limited enforcement actions. The Irish Data Protection
Commissioner, for example, quickly dismissed the possibility of legal action.
On the other hand, countries that may pursue the matter include France and,
significantly for Google, Italy
(Sayer
2010). Beyond any possible court action, however, the media and the
public had delivered harsher judgements than any courts could have done. For
Google, the fairy-tale was over.

In April 2012, the US FTC eventually levied a fine on Google for its breach.
New information that emerged in that report caused the UK ICO to re-open its
invesigation. Then, in July 2012, Google discovered that it had failed to
comply with its undertakings to delete all of the data that it had collected in
at least 10 countries. That drew fire even from the usually business-friendly
Irish Data Protection Commissioner
(Vinograd
& Satter 2012).

Taking a broad view, two related factors appear to have been major contributors
to the problems that Google has created for itself. One factor is the
company's devil-may-care approach to engineering. This places high value on
creativity, rapid prototyping and a 'permanent-beta' culture, and low value on
QA, release management, and other kinds of filtering and control mechanisms
that mature corporations have learnt to impose. A second factor is the
presumption that people everywhere are just like Google engineers, and hence
can be relied upon to have the same enthusiasms. Internal, alpha, beta and
user testing are therefore one and the same thing. No need exists for
consultation with the hordes of individual users, nor with the organisations
that represent and advocate for their interests. After this series of
train-smashes, perhaps voices of calm reason within the company will no longer
be ignored.

Octopus,
Hong Kong - 2010

Octopus has been one of the world's most successful contactless smartcard
applications. Since 1997, it has enabled both identified and anonymous payment
on HongKong's public transport system, and has expanded into several related
areas such as car-parks and convenience stores.

In mid-2010, the company was forced by the Hong Kong Privacy Commissioner to
retract a previous denial and admit that it had been selling its customers'
personal information since January 2006, and had accumulated over $US 5 million
from doing so
(HK-PCPD
2010,
Yu
2010).

The results for the company included the resignation of the CEO over her
"mismanagement and initial denial about her company's actions", harm done to
the brand to the extent that the departing CEO felt it necessary to urge the
public to continue using Octopus Cards, and contribution of the entire $US 5
million to charities
(Chong
2010).

The result for business as a whole was that, at a stage when a review of the
legislation was drawing to a conclusion, both the outgoing and incoming Privacy
Commissioners felt it necessary to call for criminal sanctions to be created
for misuse of personal data.

Sony
- 2011

In mid-April 2011, "hackers exploited a known security vulnerability" on
Sony's web-sites, exposing personal data including [loginids and] credit-card
details of "as many as 100 million customers of Sony's PlayStation Network
[PSN], Sony Online Entertainment and Qriocity film and music service"
(Edwards
& Riley 2011).

The article continued: "It takes about a half a year to stabilize sales and
confidence in a company's network after a breach, Lawrence Ponemon, founder of
the Ponemon Institute, which studies the financial cost of data breaches, said
in an interview".

The hacked files were critical to the use of the services, and PSN was
unavailable to its 77 million users for more than 4 weeks, and longer in parts
of Asia.

In July, it was reported that Sony's insurer was seeking to avoid any liability
to cover the company's costs
(Berkowitz
2011). As early as May, the direct impacts on Sony were estimated at
$US178 million in the current financial year; but that was likely to rise
significantly, with the court briefs suggesting that 55 class-action complaints
had been filed in the United States alone.

Google
- 2012

On 25 January 2012, Google announced that it was making substantial changes
to the Terms of Service and Privacy Policies that applied to consumers. The c.
60 documents were now consolidated into one (plus, it transpired, a few
others). The effect was to enable data arising from all services to be
consolidated, and used and disclosed for any purpose relating to any service.

The changes needed to be seen in their context:

the changes represented a renege on previous undertakings, demonstrating
the meaninglessness of Terms and Policies that include a statement that they
are 'subject to unilateral change'

the changes applied retrospectively

merely using a Google account after 1 March was deemed to represent
agreement to the Terms

there is no requirement that Google ever delete any personal data that it
collects

it is possible to delete a Googe account (although the function was
difficult to find, and difficult to use), but that merely cut off the user's
access to the data about themselves. It remained available to Google

The responses from regulators, oversight agencies and advocacy groups
included the following. Some quotations are from the EPIC site. See also the
Daily-Mail
article of 2 March 2012:

USA

"EPIC has urged a federal court to require the Federal
Trade Commission to determine whether Google's changes changes violate a
2011
Consent Order. The court denied the motion. As at 2 March 2012, the case
was on appeal". For more information, see
EPIC
v. FTC

36 State Attorneys-General, on 22 February 2012, wrote a
letter
to Google deriding the new policy as an 'invasion of privacy'

EU

The Article 29 Working Party (the Data Protection Commissioners) were
reported
on 6 February as having requested a deferral and being ignored. Their position
was that "Our preliminary analysis shows that Google's new policy does not meet
the requirements of the European Directive on Data Protection, especially
regarding the information provided to data subjects"

"European Justice Minister Vivian Reding said today that Google's March 1
changes to its terms of service violate European Union law "in numerous
respects." Commissioner Reding pointed to the failure of the company to obtain
user consent, the lack of transparency, and the fact that most users do not
read privacy policies. European privacy officials recently concluded that the
changes do not comply with the European Union Data Protection Directive and
asked the company to suspend its planned changes. See the
NYT
article of 1 March 2012

France. The regulator, CNIL, wrote a
letter
to Google, saying that, based on its preliminary analysis, Google's new
policy does not meet the requirements of the EU Directive

Canada. The Privacy Commissioner sent a
letter
to Google on 23 February, raising a number of specific concerns

Asia-Pacific. APPA (the Asia-Pacific Privacy
Authorities) sent a
letter
to Google on 28 February, making very polite enquiries. Google sent a
prompt-but-evasive
reply
- and the enquiry had in any case omitted a great many of the key issues

Japan. The Ministry of Economic Trade and Industry and
the Ministry of Internal Affairs and Communication wrote a
joint
warning to Google

Korea. The UK Daily Mail mentioned Korea as also having
expressed concerns

Australia

Australian Privacy Foundation (APF) published on 29
January 2012 a
Policy
Statement, and called on the Australian regulators
ACCC
and
OAIC
to act promptly

the ACCC acknowledged APF's letter and then did precisely
nothing

the OAIC took a full month, but it then participated in
(and possibly was the driver behind)
the
APPA letter to Google on 28 February - although this appears to have been
the least complete and mildest of all of the communications that Google
received on the matter

Privacy International. Simon Davies published an
Opinion
Piece in The Guardian on 1 March 2012, depicting Google's document as "one
of the most deceptive, provocative and possibly unlawful documents it has ever
produced"

Transatlantic Consumer Dialogue. A
letter
to Google called for suspension of Google's plan to modify its privacy
policy: "It is both unfair and unwise for you to 'change the terms of the
bargain' as you propose to do." TACD said "consumers have relied on your
policies and your terms of service in choosing your products"

UK Big Brother Watch. BBW
wrote
that few Google service users had read Google's new privacy policy

Google ignored the tumult, and left the arrangements in place, changing the
Terms and Policies on 1 March 2012.

Postscript: Microsoft quietly took advantage of Google's
leadership in the consumer-hostility stakes, and made similar changes to its
Terms of Service - and got away with it
(Sullivan
2012).

Telstra
- 2012

Telstra is one of Australia's largest corporations. It is the dominant
telco, a result of privatisation of the PTT several decades ago. Telstra had
been involved in a variety of privacy breaches in recent years. For example,
in December 2011, it was discovered that 734,000 customer records had been
exposed on the Web, for a period of 8 months. The privacy oversight agency
prevaricated, then refused to publish the findings of its investigation, and
let off the corporation with the lightest of warnings. The telecommunications
regulator, ACMA, found that a serious breach had occurred, but also failed to
take any meaningful action. This was announced only after 7 months had elasped
(Moses
2012).

At the same time, in June 2012, tech-savvy customers uncovered the fact that
the telco was sending to a third party, outside the country, the URLs that
Telstra's mobile customers visited. This was being done in real-time (i.e.
less than a quarter-second across the Pacific). The justification was that the
other company was developing a new web filtering product and needed raw data
for experimentation. The company, Netsweeper, is based in Canada, but the data
was sent the USA, which meant that the data was subject to only very weak
privacy protection laws, and was readily available to US government agencies.
Moreover, Netsweeper has a record of selling censorware to Middle Eastern
governments
(Gregory
2012).

Telstra at first sought to manage the crisis. It declared that this was
"normal network operation", and then that no personal data was involved,
because only the pathnames were transmitted, without the parameter data. That
was met with public derision, and was shown to be wrong as well. The company
was lambasted by an Internet luminary - and ex-Telstra employee
(Huston
2012). Arguments were put forward by a variety of people that the action
was in breach of the Telecommunications Access and Interception Act (TIAA) -
and involved serious criminal offences subject to gaol terms.

By early July, the corporations had halted the practice, the CEO had told staff
in an internal email that the company had "broken our customers' trust [which]
is a commodity that's both precious and fragile ... It takes months and years
to build, but can be broken in one day ... [Privacy is] an essential
requirement and our licence to operate"
(itNews
2012). Pressure was growing on the weak Privacy Commissioner, the weak
telecommunications regulator (ACMA), and the unwilling Australian Federal
Police (AFP) to actually take some action against the breaches.

Instagram
- 2012

Instagram is social media service-provider centred on photo-sharing from
handhelds. It was launched in 4Q 2010, initially for Apple iPhones and iPads,
in 2012 extending to Android-based mobile devices. It was perceived to be
'cooler' than its predecessors, particularly flickr and Google's Picasa, and
enjoyed very rapid growth. The company, with 13 employees, was acquired by
Facebook for (nominally) about $1 billion in 2Q 2012, only 18 months after
launch.

In mid-December 2012, the company exercised its self-granted right to change
its Terms of Service when and how it wished, declaring substantial changes with
a month's notice
(McCullagh
2012). The changes enabled Instagram to charge organisations for the use
of users' images and data, without recompense to the user, and without the
user's consent, or even knowledge, and without even the ability to opt-out.

With the public sensitised to abuses of this kind, particularly by Facebook and
Google, but also Microsoft, the change was noticed and remarked upon by many
commentators. A wave of criticism ensued. Probably importantly, National
Geographic suspended its Instagram account.

Instagram appears to have had no public relations contingency plans in place.
After 30 hours, the company withdrew the wording, and set about licking its
wounds
(McCullagh
& Tam 2012). A class action was under way within a week
(Levine
2012).

The furore appears to have resulted from a combination of the obvious
commercial unfairness (profitting from the work of others, and denying them a
cut), overlaid with privacy concerns about the content of the images and
associated data.

Target
- 2013-15

Between 27 November and 18 December 2013, US retailer Target was subject to
a cyber-attack that compromised data on at least 40 million customers and
possibly another 70 million
(Krebs
2014).

It subsequently emerged that the breach had been detected, and the company
warned about the problem, on 30 November and 2 December, but failed to act
promptly, which enabled the volume of data that leaked to escalate
(Heavey
2014). That deficiency created much greater exposure to negligence
lawsuits.

Significant reductions in revenue followed, "after news of the cyber attack and
theft of payment card data spooked shoppers". The company suffered a 46 % drop
in net profit in the quarter and an 11% drop in share-value. "Target's
reputation ... had been tarnished by the fact that many customers have either
had to have payment cards replaced or find themselves checking their monthly
statements more closely, giving them a negative association with the retailer"
(Finkle
2014).

The first few months' costs were declared in early 2014 as being $61 million,
with much more to come for such items as card-reissue, lawsuits, government
probes and enforcement proceedings, legal expenses, investigative and
consulting fees, and capital investments. The total cost "would certainly be
in the hundreds of millions of dollars and could top $1 billion". In August
2014, the company's estimate had reached $148 million, of which $38 million was
offset by insurance - but claims were not yet settled, and it was recognised
that the figure could go higher
(Masters
2014).

Over a year later, further elements had become clearer, with class-action
claims resulting in settlements of USD 20m to banks, $20m to MasterCard, $67m
to Visa and $10m to some of its own customers. This was declared by the
corporations affected to be a lot less than the total expenses they incurred.
Total liquid costs had reached $290m less $90m covered by insurers, but there
were still more actions in train, and a vast amount of wasted executive and
staff time
(itNews
2015).

Home
Depot - 2014-15

In September 2014, Home Depot announced that there had been a very large
breach of its payment data systems
(McGrath
2014). It was immediately speculated that the breach might cost the
corporation $100 million. The stock-price dropped 2.5%. It was later
announced that "Attackers stole 56 million payment card details and collected
53 million email addresses of people who shopped at Home Depot's stores between
April and September in the U.S. and Canada".

It later reported $43m in costs in September and October 2014 alone, of which
it expected $15m to be covered by insurance
(HD
2014). It was also facing a significant number of lawsuits, from
"customers, payment card brands, payment card issuing banks, shareholders or
others". It expected to incur significant legal and other professional
services expenses in future periods, and "the ultimate amount paid on these
services and claims could be material to the Company's consolidated financial
condition, results of operations, or cash flows in future periods".

The laxness of the company's security safeguards were evident from its
statement that "the intruder used a vendor's user name and password to enter
the perimeter of the Company's network. The intruder then acquired elevated
rights that allowed it to navigate portions of the Company's network and to
deploy unique, custom-built malware".

TalkTalk
- 2015-16

In October 2015, UK telco TalkTalk suffered a data breach. The impacts
included Stg80m / AUD164m for financial costs and loss of revenue, suspension
of marketing activities, a 3% loss of subscriber-base, and a substantial drop
in share-price
(itNews
2016).

PCC (2009) 'Report of Findings into the Complaint Filed by the Canadian
Internet Policy and Public Interest Clinic (CIPPIC)against Facebook Inc.'
PIPEDA Case Summary #2009-008, Privacy Commissioner of Canada, 22 July 2009, at
http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm

Acknowledgements

Thanks to Ari Schwarz at CDT in Washington DC, Lee Bygrave in Oslo, Anna
Johnston in Sydney, Beth Givens in San Diego, Jason Catlett in New York, Mary
Culnan in Boston, Ross Anderson in Cambridge UK, Stephan Engberg in Copenhagen,
Robert Ellis Smith of Privacy Journal in Providence RI, and to you for sending
me
additional
leads and references.

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.